Introduction: RBI System Audit Report (SAR) & Data Localisation
The Reserve Bank of India (RBI) is the sovereign regulator of India's banking and payment-system landscape, and it has progressively raised the bar on the technology-risk posture of every regulated entity that touches money. The System Audit Report (SAR) regime and the accompanying data-localisation mandate sit at the centre of this expectation. In plain terms, if you operate a payment system, issue prepaid instruments, run a payment aggregator or gateway, provide payment-related services, or are a scheduled commercial bank, small finance bank, payments bank, urban co-operative bank, NBFC or a Non-bank Financial Company operating a payment system, then a periodic, independent System Audit is not optional — it is a licensing and continuance condition.
This guide is written for the person who actually has to sit in the audit chair — the CISO, the head of IT, the compliance lead, the internal auditor and the external empanelled auditor. It walks through what the SAR actually is, who must produce one, how it is structured, and — most importantly — a master assessment checklist that enumerates every control family the RBI expects an auditor to examine, together with the evidence a QSA-grade reviewer would demand. It also covers the closely bound obligation of storing payment-system data only within India (the Data Storage / Data Localisation directive of April 2018), because in practice the SAR must confirm compliance with it.
Two distinct but overlapping instruments drive this: (1) the RBI circular DPSS.CO.OD.No.2785/06.08.005/2017-2018 dated 6 April 2018 on 'Storage of Payment System Data', and (2) the requirement embedded across the Payment Aggregator / Payment Gateway (PA-PG) guidelines, the Master Directions on Prepaid Payment Instruments (PPIs), the RBI Master Direction on Digital Payment Security Controls (2021), and the general licensing conditions under the Payment and Settlement Systems Act, 2007 (PSS Act) for a periodic System Audit. The SAR is the deliverable through which an entity demonstrates conformance to all of them.
Copyright & source note
RBI circulars, Master Directions and the PSS Act are official Government of India / Reserve Bank of India publications. The control identifiers, dates and terminology referenced here are paraphrased for guidance only and must never be treated as a substitute for the authoritative text on the RBI website (rbi.org.in). Always audit against the latest version of the relevant circular, as RBI amends timelines and scope through addenda and FAQs. This CyberSigma guide contains original explanatory content and does not reproduce copyrighted RBI text.
What is the RBI System Audit (SAR)?
A System Audit is an independent, evidence-based examination of the information systems, technology infrastructure, information-security controls and operational processes of an RBI-regulated payment or financial entity, conducted by an external auditor who is empanelled with CERT-In (the Indian Computer Emergency Response Team) or is a qualified independent professional acceptable to RBI. The output of that examination is the System Audit Report — the SAR — a formal, signed document submitted to RBI (and retained for inspection) confirming whether the entity's systems are secure, resilient, compliant and, specifically for payment operators, whether payment-system data is stored only in India.
The SAR is not a one-off certification. For most payment operators it is an annual (or as-specified) recurring obligation. For a Payment Aggregator seeking authorisation, an initial SAR is a condition of the in-principle-to-final licence progression; thereafter an annual SAR must be submitted. The audit must be forward-looking — it covers the design and operating effectiveness of controls over the review period, not merely a point-in-time snapshot.
The SAR combines several audit disciplines: an IS (information systems) audit, an information-security / cyber-security review, a business-continuity and disaster-recovery assessment, an application-security review of payment applications, a data-localisation compliance verification, and — for PA/PGs — merchant-onboarding and settlement-control testing. The auditor issues an opinion, lists observations by risk severity, and confirms closure of prior-period findings.
How the SAR differs from a general IT audit
- It is regulator-mandated and regulator-submitted — RBI is the audience, not just the board.
- It carries statutory weight under the PSS Act, 2007; adverse findings can jeopardise the authorisation to operate a payment system.
- It must be performed by a CERT-In empanelled auditor or an RBI-acceptable independent professional, not merely an internal team.
- It has a mandatory data-localisation verification component that a generic ISO 27001 audit would not include.
- Findings must be tracked to closure and re-verified in the next cycle; open high-risk items must be reported.
Who must comply
The obligation to obtain a System Audit and submit a SAR is triggered by the nature of the licence or authorisation held. The data-localisation directive of April 2018 applies to all 'system providers' and their participants, service providers, intermediaries, payment gateways, third-party vendors and other entities in the payment ecosystem. The table below summarises the principal categories.
| Regulated entity type | SAR / audit obligation | Governing instrument |
|---|
| Payment Aggregators (PA) — online | Initial SAR for authorisation + annual SAR thereafter | PA-PG Guidelines (Mar 2020, as amended) |
| Payment Gateways (PG) — technology providers | System audit as advised (baseline technology recommendations) | PA-PG Guidelines |
| Prepaid Payment Instrument (PPI) issuers | Annual system audit; audit of escrow / float | Master Direction on PPIs (2021) |
| Scheduled Commercial Banks & SFBs | Periodic IS audit + cyber-security framework audit | Cyber Security Framework circular (2016); Digital Payment Security Controls (2021) |
| Payments Banks & Urban Co-operative Banks | IS audit per applicable tier / graded framework | UCB Cyber Security Framework (graded) |
| NBFCs operating payment systems / large NBFCs | IT audit per Master Direction on IT Governance | Master Direction on IT Governance, Risk, Controls & Assurance (2023) |
| Card networks / operators of authorised payment systems | System audit + data-localisation SAR | PSS Act, 2007; Data Storage circular (Apr 2018) |
| Third-party service providers / intermediaries handling payment data | Compliance verified within the principal's SAR | Data Storage circular (Apr 2018) |
| White-label ATM operators | System audit as per authorisation conditions | PSS Act authorisation conditions |
- Any entity that stores, processes or transmits payment-system data — even if outsourced — is in scope for the data-localisation verification.
- Cross-border transaction data may be processed abroad but the data must be brought back and stored only in India, with any foreign copy deleted within a defined window (commonly cited as 24 hours from payment processing).
- Fintechs partnering with a regulated entity are covered transitively; the regulated principal remains accountable.
- Group entities and cloud / co-location providers used by the regulated entity fall within audit scope.
Structure of the RBI System Audit (SAR)
There is no single monolithic 'control catalogue' number range as in PCI DSS or NIST; instead, the SAR is structured around control domains drawn from the applicable RBI Master Directions and circulars. In practice a competent auditor organises the SAR into the domains below. This structure aligns the SAR with the RBI Master Direction on Digital Payment Security Controls (2021) and the PA-PG baseline technology recommendations, which are the most detailed control sources.
| Domain code | Domain / control family | Primary source | Illustrative control count |
|---|
| D1 | Governance, Risk & Board Oversight | IT Governance MD (2023); DPSC (2021) | 10-14 |
| D2 | Information Security Policy & Standards | DPSC (2021); Cyber Security Framework | 8-12 |
| D3 | Network Security & Segmentation | DPSC (2021) | 10-15 |
| D4 | Application Security (payment apps) | DPSC (2021); PA-PG baseline | 12-18 |
| D5 | Authentication & Access Control | DPSC (2021) | 10-14 |
| D6 | Cryptography & Key Management | DPSC (2021); Data Storage circular | 8-10 |
| D7 | Data Localisation & Data Governance | Data Storage circular (Apr 2018) | 8-12 |
| D8 | Fraud Risk Management & Transaction Monitoring | DPSC (2021); PA-PG | 8-12 |
| D9 | Merchant Onboarding & KYC (PA/PG only) | PA-PG Guidelines | 10-14 |
| D10 | Settlement, Escrow & Nodal Account Controls | PA-PG; PPI MD | 8-12 |
| D11 | Vendor / Outsourcing & Third-party Risk | Outsourcing guidelines; DPSC | 8-10 |
| D12 | Incident Response & Reporting to RBI/CERT-In | CERT-In directions (2022); DPSC | 8-10 |
| D13 | Business Continuity & Disaster Recovery | BCP guidelines; DPSC | 8-10 |
| D14 | Logging, Monitoring & Audit Trails | DPSC (2021); CERT-In (2022) | 8-12 |
| D15 | Change & Patch Management | DPSC (2021) | 6-10 |
| D16 | Vulnerability Management & Penetration Testing | DPSC (2021); PA-PG | 6-10 |
Master assessment checklist
This is the operational heart of the SAR. Below, each domain is expanded into what the auditor must verify and the typical evidence a CERT-In empanelled auditor or PCI QSA would collect. Nothing here should be skipped; where a domain is not applicable (for example, merchant onboarding for a non-PA entity), the auditor must formally record it as 'not applicable with justification' rather than omit it.
D1 — Governance, Risk & Board Oversight
| What to verify | Typical evidence |
|---|
| Board-approved IT/IS and cyber-security strategy exists and is reviewed periodically | Board/IT Strategy Committee minutes; approved policy with version dates |
| A designated CISO independent of the IT development function is appointed | Appointment letter; organisation chart; reporting line to risk/board |
| IT Steering / Risk Committee meets at defined cadence with quorum | Committee charter; meeting minutes; attendance registers |
| Technology risk register is maintained with owners and treatment plans | Risk register; risk-acceptance sign-offs; remediation trackers |
| Roles, responsibilities and segregation of duties are documented | RACI matrix; SoD matrix; access-grant approvals |
| Prior SAR observations are tracked to closure | Prior SAR; closure tracker; evidence of remediation |
D2 — Information Security Policy & Standards
| What to verify | Typical evidence |
|---|
| A comprehensive, board-approved information-security policy is in force | Signed policy; approval record; review history |
| Standards and procedures cascade from policy (hardening, acceptable use, data classification) | Standard operating procedures; hardening baselines; classification schema |
| Policy exceptions are formally approved and time-bound | Exception register; risk sign-off; expiry tracking |
| Staff acknowledge policies and undergo security awareness training | Acknowledgement logs; training completion records; phishing-simulation results |
| Policies are reviewed at least annually or on material change | Version control log; review minutes |
D3 — Network Security & Segmentation
| What to verify | Typical evidence |
|---|
| Network is segmented; the cardholder/payment environment is isolated from corporate and internet zones | Network diagrams; VLAN/firewall zone config; segmentation test results |
| Firewall and router rule-sets follow least-privilege and are reviewed periodically | Firewall rule export; rule-review sign-offs; change tickets |
| Ingress/egress controls, DMZ and secure gateways are in place | Architecture diagram; proxy/gateway config |
| Wireless networks are secured and separated from the payment environment | WLAN config; encryption settings; rogue-AP scan results |
| DDoS protection and perimeter defences are deployed | WAF/DDoS service config; test evidence |
| Remote access uses secured, MFA-protected VPN with logging | VPN config; MFA enrolment; access logs |
D4 — Application Security (payment applications)
| What to verify | Typical evidence |
|---|
| Secure SDLC is followed with security requirements and code review | SDLC policy; code-review records; security gate sign-offs |
| Applications defend against OWASP Top 10 and payment-specific abuse | SAST/DAST reports; remediation evidence |
| Input validation, output encoding and session management are enforced | Design docs; test cases; scan results |
| Sensitive data is never exposed in URLs, logs or error messages | Log samples; code review; error-handling review |
| Mobile / API endpoints are hardened (rate limiting, tokenisation, cert pinning) | API gateway config; mobile app test report |
| Application changes go through security testing before production | Release checklist; pre-prod pentest evidence |
D5 — Authentication & Access Control
| What to verify | Typical evidence |
|---|
| Multi-factor authentication for administrative, remote and privileged access | MFA policy; enrolment reports; login logs |
| Role-based access with least privilege and periodic recertification | RBAC matrix; access-review reports; revocation records |
| Privileged access is managed through a PAM solution with session recording | PAM config; session recordings; vaulting evidence |
| Joiner-mover-leaver process removes access promptly on exit | HR-IT deprovisioning tickets; timing evidence |
| Customer authentication uses risk-based / additional-factor mechanisms | AFA design; OTP/step-up config; transaction logs |
| Default and shared credentials are eliminated | Config review; account inventory |
D6 — Cryptography & Key Management
| What to verify | Typical evidence |
|---|
| Data in transit is protected with strong TLS (weak protocols/ciphers disabled) | TLS scan (e.g. testssl); config export |
| Data at rest — especially card and PII — is encrypted or tokenised | Encryption config; tokenisation vault evidence; DB config |
| Card data storage complies with PCI DSS and RBI tokenisation mandates | PCI AoC/RoC; tokenisation implementation evidence |
| Cryptographic keys are managed in HSM/KMS with rotation and dual control | HSM/KMS logs; key-ceremony records; rotation schedule |
| No storage of full card data / CVV where prohibited | Data-discovery scan; DB schema review |
D7 — Data Localisation & Data Governance
| What to verify | Typical evidence |
|---|
| All payment-system data is stored only in a system located in India | Data-flow diagrams; server/DC location certificates; hosting contracts |
| Full end-to-end transaction details are within India (payment instruction, credentials, transaction and settlement data) | Data-element mapping; storage-location attestation |
| Foreign-leg processing (if any) has data brought back and foreign copy deleted within the stipulated window | Deletion logs; data-purge evidence; timestamps |
| No unauthorised replication, backup or DR site of payment data outside India | DR/backup location evidence; cloud-region config |
| Data classification and retention policy governs payment data | Classification schema; retention/disposal records |
| Third parties and cloud providers contractually enforce India-only storage | Contracts; DPAs; audit-right clauses |
D8 — Fraud Risk Management & Transaction Monitoring
| What to verify | Typical evidence |
|---|
| Real-time / near-real-time transaction monitoring and velocity checks operate | Fraud-engine config; rule library; alert logs |
| Fraud risk management framework is board-approved and reviewed | FRM policy; committee minutes |
| Customer alerts and cooling-off / transaction-limit controls exist | Alert templates; limit configuration |
| Suspicious transactions are investigated and escalated | Case-management records; SAR/STR filings where applicable |
| Chargeback and dispute handling processes are defined | Dispute SOP; MIS reports |
D9 — Merchant Onboarding & KYC (Payment Aggregators / Gateways)
| What to verify | Typical evidence |
|---|
| Merchant onboarding follows a board-approved policy with due diligence | Onboarding policy; KYC checklists |
| KYC / CDD is performed on merchants per RBI KYC Master Direction | KYC records; verification evidence; risk categorisation |
| Prohibited / high-risk merchant categories are screened out | Negative-list; MCC controls; screening logs |
| Merchant website/app checks for compliance and security are performed | Site-review checklist; security-scan of merchant integration |
| Ongoing monitoring of merchant activity and transaction patterns | Monitoring MIS; anomaly alerts |
| Merchant agreements bind data-security and localisation obligations | Executed agreements; clause review |
D10 — Settlement, Escrow & Nodal Account Controls
| What to verify | Typical evidence |
|---|
| Collections flow through an escrow / nodal account with a scheduled commercial bank | Escrow account statements; bank confirmation |
| No commingling of merchant funds with the PA's own funds | Ledger reconciliation; segregation evidence |
| Settlement to merchants happens within regulatory timelines (Tp+1 etc.) | Settlement reports; timing analysis |
| Debits/credits to escrow are only for permitted purposes | Transaction logs; permitted-debit review |
| Daily reconciliation of escrow balance against outstanding obligations | Reconciliation statements; break resolution |
| Core-portion / float balances maintained as required | Balance certificates; auditor confirmation |
D11 — Vendor / Outsourcing & Third-party Risk
| What to verify | Typical evidence |
|---|
| Outsourcing policy aligns with RBI outsourcing guidelines | Outsourcing policy; board approval |
| Due diligence and risk assessment performed before onboarding vendors | Vendor risk assessments; due-diligence reports |
| Contracts include audit rights, RBI inspection rights, SLAs and exit clauses | Executed contracts; clause matrix |
| Vendor access to systems/data is controlled and logged | Access records; monitoring logs |
| Fourth-party / sub-contracting risk is assessed and approved | Sub-contract disclosures; approvals |
D12 — Incident Response & Reporting to RBI / CERT-In
| What to verify | Typical evidence |
|---|
| A documented, tested incident-response plan exists | IR plan; tabletop/drill records |
| Security incidents are reported to CERT-In within 6 hours (2022 directions) | Incident register; CERT-In submission acknowledgements |
| Material incidents / breaches are reported to RBI within stipulated time | RBI incident reports; timing evidence |
| Roles, escalation matrix and communication plan are defined | Escalation matrix; contact lists |
| Root-cause analysis and lessons-learned drive improvement | RCA reports; corrective-action tracking |
D13 — Business Continuity & Disaster Recovery
| What to verify | Typical evidence |
|---|
| BCP and DR plans exist with defined RTO/RPO for payment systems | BCP/DR documents; RTO/RPO definitions |
| DR site is within India and periodically tested | DR test reports; DR location evidence |
| Business impact analysis underpins recovery priorities | BIA document; criticality ratings |
| Backups are taken, encrypted and restoration-tested | Backup logs; restore-test evidence |
| Near-zero / high-availability architecture for critical payment flows | Architecture diagrams; uptime SLA reports |
D14 — Logging, Monitoring & Audit Trails
| What to verify | Typical evidence |
|---|
| Comprehensive audit trails capture user, admin and system activity | Log configuration; sample log extracts |
| Logs are time-synchronised (NTP), tamper-protected and centralised (SIEM) | NTP config; SIEM ingestion evidence; integrity controls |
| Logs are retained per regulatory requirement (commonly 180 days rolling as per CERT-In) | Retention policy; storage evidence |
| Security monitoring / SOC provides alerting and correlation | SOC runbooks; alert samples; use-case list |
| Privileged and payment-transaction events are specifically monitored | Monitoring use-cases; alert logs |
D15 — Change & Patch Management
| What to verify | Typical evidence |
|---|
| Formal change-management process with approvals and rollback | Change tickets; CAB minutes; rollback plans |
| Security patches applied within defined SLA by criticality | Patch reports; SLA tracking; exception log |
| Emergency changes follow a controlled, documented path | Emergency-change records; post-implementation review |
| Segregation between development, test and production environments | Environment inventory; access separation evidence |
D16 — Vulnerability Management & Penetration Testing
| What to verify | Typical evidence |
|---|
| Regular vulnerability assessment of infrastructure and applications | VA scan reports; scan schedule |
| Independent penetration testing performed at least annually and after major change | VAPT reports by qualified testers; scope documents |
| Findings are risk-rated and remediated within SLA, with re-testing | Remediation tracker; re-test evidence |
| ASV / external scans for internet-facing payment assets | External scan reports; clean-scan attestations |
Scoping
Accurate scoping determines the credibility of the SAR. The auditor must first establish the payment-data footprint: every system, application, database, network segment, interface, API, cloud tenancy and third party that stores, processes or transmits payment-system data. Under-scoping is the single most common reason RBI rejects a SAR or issues an adverse continuance direction.
- Define the in-scope environment by following the data: trace the full transaction lifecycle from customer initiation to settlement and archival.
- Include all supporting systems — authentication, key management, logging, monitoring, backup and DR — even if they do not process transactions directly.
- Include outsourced components: cloud hosting, managed SOC, payment-processor connections and merchant-integration layers.
- Explicitly document out-of-scope systems with the justification for exclusion (e.g. segmentation that isolates them).
- For data localisation, scope must cover every copy of payment data including backups, DR, analytics stores, logs and reporting systems.
- State the review period covered by the SAR (typically the preceding 12 months for an annual audit).
Scoping tip
Segmentation reduces scope only if it is proven. If you claim a corporate zone is out of scope, the auditor must validate the isolation with segmentation testing. Unproven segmentation collapses the boundary and pulls the excluded systems back in.
Implementation approach (phased)
Entities that treat the SAR as a last-minute compliance scramble invariably fail. A phased programme, ideally spanning three to four months before the submission deadline, produces a defensible report and, more importantly, genuinely secure systems.
Phase 1 — Initiation & Scoping (Weeks 1-2)
- Activities: appoint a CERT-In empanelled auditor; agree scope, review period and methodology; hold kick-off; collect prior SAR and closure status; build the data-flow and asset inventory.
- Deliverables: signed engagement letter; agreed scope document; audit plan; data-flow diagrams; asset register.
Phase 2 — Control Design Review (Weeks 3-5)
- Activities: review policies, standards, architecture and process documents against each domain; identify design gaps; map controls to RBI Master Directions.
- Deliverables: control-design assessment; preliminary gap list; requests-for-information tracker.
Phase 3 — Control Operating-Effectiveness Testing (Weeks 6-10)
- Activities: sample-based testing of evidence, log reviews, configuration reviews, VAPT, segmentation testing, data-localisation verification, escrow reconciliation checks.
- Deliverables: test working papers; VAPT report; data-localisation verification memo; provisional findings.
Phase 4 — Remediation & Re-test (Weeks 10-13)
- Activities: management remediates high-risk findings; auditor re-tests; residual risk assessed; closure of prior-period items confirmed.
- Deliverables: remediation evidence; re-test results; updated findings register.
Phase 4b — Reporting & Submission (Weeks 13-14)
- Activities: draft SAR with opinion and risk-rated observations; management responses obtained; auditor sign-off; board / audit-committee review; submission to RBI.
- Deliverables: signed System Audit Report; management action plan; RBI submission acknowledgement.
Maturity / capability scoring model
While RBI does not prescribe a formal maturity scale, a capability-maturity model is invaluable for tracking progress cycle-on-cycle and prioritising remediation. CyberSigma applies the following five-level model, aligned to CMMI-style thinking, to each control domain.
| Level | Name | Description | Typical SAR outcome |
|---|
| 1 | Initial / Ad-hoc | Controls absent or informal; reliance on individuals | Major non-conformity; likely adverse SAR |
| 2 | Developing | Some controls documented but inconsistently applied | Multiple high-risk observations |
| 3 | Defined | Controls documented, approved and consistently followed | Baseline acceptable; medium observations |
| 4 | Managed | Controls measured, monitored and reviewed with metrics | Clean SAR with minor observations |
| 5 | Optimising | Continuous improvement, automation and threat-informed tuning | Exemplary SAR; leading practice |
A target maturity of Level 3 (Defined) is the minimum for a clean SAR; regulated entities of systemic importance should aim for Level 4 across the payment-critical domains (D3-D7, D10, D12-D14).
Assessment and audit approach
- Confirm the auditor's independence and CERT-In empanelment (or RBI-acceptable status) and document the engagement scope and review period.
- Obtain and study the prior SAR, closure tracker, and any RBI correspondence or inspection findings.
- Build a complete asset and data-flow inventory; validate the boundary and, where claimed, test segmentation.
- Perform control-design review against each of the sixteen domains, mapping to the relevant RBI Master Direction or circular.
- Perform operating-effectiveness testing on a risk-based sample: configuration reviews, log analysis, VAPT, escrow reconciliation and data-localisation verification.
- Specifically verify data localisation: trace every payment-data element, confirm India-only storage, and validate deletion of any permitted foreign copy within the stipulated window.
- Risk-rate each observation (Critical / High / Medium / Low) with impact and likelihood rationale.
- Present provisional findings to management; obtain responses and remediation commitments; re-test remediated high-risk items.
- Draft the SAR with an overall opinion, domain-level conclusions, the findings register and management action plan.
- Obtain auditor sign-off, board / audit-committee review, and submit the signed SAR to RBI within the prescribed timeline, retaining working papers for inspection.
Evidence request list
The following categorised list is what an auditor will request. Assembling it in advance dramatically accelerates the engagement.
- Governance: board/committee minutes, IT & security strategy, CISO appointment, risk register, org charts, SoD matrix.
- Policies & standards: information-security policy, hardening baselines, data-classification schema, acceptable-use policy, exception register.
- Network: architecture and data-flow diagrams, firewall rule exports, segmentation test results, VPN and wireless configs.
- Application: SDLC policy, code-review records, SAST/DAST reports, API and mobile security test results, release checklists.
- Access & authentication: RBAC/PAM configs, access-review reports, MFA enrolment, joiner-mover-leaver tickets.
- Cryptography: TLS scan output, encryption/tokenisation configs, HSM/KMS logs, PCI DSS AoC/RoC.
- Data localisation: hosting/DC location certificates, data-element mapping, foreign-copy deletion logs, cloud-region configs, third-party contracts.
- Fraud & monitoring: FRM policy, fraud-engine rules, alert logs, dispute/chargeback MIS.
- Merchant & settlement (PA/PG): onboarding policy, KYC records, escrow statements, settlement reports, reconciliations.
- Vendor: outsourcing policy, vendor risk assessments, contracts with audit/RBI-inspection clauses.
- Incident & continuity: IR plan, CERT-In/RBI incident submissions, BCP/DR plans, DR test reports, backup and restore logs.
- Logging & monitoring: SIEM configuration, retention policy, sample logs, SOC runbooks and alert samples.
- Change & vulnerability: change tickets, patch reports, VA/VAPT reports and remediation/re-test evidence.
Roles and responsibilities
| Role | Responsibility in the SAR process |
|---|
| Board / IT Strategy Committee | Approves policies and the audit; reviews SAR findings; owns overall accountability |
| CISO | Owns the security control environment; coordinates remediation; primary auditee contact |
| Head of IT / Technology | Provides infrastructure and application evidence; implements technical remediation |
| Compliance Officer | Ensures regulatory alignment and timely RBI submission; tracks closures |
| Internal Audit | Supports readiness assessment; validates management assertions pre-audit |
| Escrow / Finance controller (PA/PG) | Provides settlement and escrow reconciliation evidence |
| External CERT-In empanelled auditor | Performs independent assessment; issues the signed SAR opinion |
| Vendors / cloud providers | Furnish location attestations, configs and audit-right cooperation |
| Data Protection / Privacy lead | Confirms data localisation, classification and retention compliance |
KPIs to track
- Percentage of prior-period SAR observations closed before the next cycle.
- Number of open Critical/High findings and mean time to remediate.
- Patch SLA adherence rate by criticality.
- VAPT findings trend (open vs closed) cycle-on-cycle.
- Percentage of payment data verified as India-only storage (target 100%).
- Foreign-copy deletion compliance rate within the stipulated window.
- MFA and PAM coverage of privileged accounts.
- Escrow reconciliation break count and resolution time (PA/PG).
- Incident reporting timeliness to CERT-In (within 6 hours) and RBI.
- DR test success rate against RTO/RPO targets.
- Security awareness training completion and phishing-simulation failure rate.
- Maturity score by domain versus target (Level 3/4).
Readiness checklist
- CERT-In empanelled auditor engaged and scope agreed
- Prior SAR observations closed and evidenced
- Complete asset and payment-data-flow inventory prepared
- Segmentation between payment and corporate zones proven
- All payment-system data confirmed stored only in India
- Foreign-copy deletion within stipulated window evidenced
- Board-approved security and fraud-risk policies in force
- MFA and PAM deployed for privileged and remote access
- Card data tokenised / PCI DSS compliance evidenced
- Latest VAPT completed and high-risk findings remediated
- Escrow / nodal account reconciled and within timelines (PA/PG)
- Merchant KYC and onboarding records complete (PA/PG)
- Incident-response plan tested and CERT-In reporting path ready
- BCP/DR plan tested with DR site inside India
- SIEM logging with required retention and monitoring operational
- Vendor contracts include RBI inspection and audit rights
- Management action plan drafted for residual findings
Common gaps
- Payment data replicated to a foreign DR/backup or analytics store, breaching data localisation.
- Foreign-leg processing where the returned data is not deleted within the stipulated window (no deletion logs).
- Unproven segmentation claims that improperly narrow scope.
- Prior SAR observations left open across cycles without closure evidence.
- Weak or absent MFA on administrative and remote access.
- Full card data / CVV storage or absence of RBI-mandated tokenisation.
- Escrow commingling or settlement delays beyond regulatory timelines (PA/PG).
- Inadequate merchant KYC and onboarding of prohibited merchant categories.
- Incident-reporting timelines to CERT-In (6 hours) not met or not evidenced.
- Insufficient log retention (below the CERT-In requirement) or non-time-synchronised logs.
- Vendor contracts lacking RBI inspection / audit-right and exit clauses.
- VAPT findings not remediated or not re-tested before the SAR.
RBI System Audit (SAR) mapped to other frameworks
| RBI SAR domain | PCI DSS v4.0 | ISO/IEC 27001:2022 | NIST CSF 2.0 |
|---|
| Governance & Board Oversight | Req 12 | A.5 Organisational controls | GV (Govern) |
| Information Security Policy | Req 12 | A.5.1 Policies | GV.PO |
| Network Security & Segmentation | Req 1, 11.4 | A.8.20-8.22 | PR.AA / PR.IR |
| Application Security | Req 6 | A.8.25-8.29 | PR.PS |
| Authentication & Access Control | Req 7, 8 | A.8.2-8.5 | PR.AA |
| Cryptography & Key Management | Req 3, 4 | A.8.24 | PR.DS |
| Data Localisation & Governance | (not covered) | A.5.34 / A.8.10-8.12 | GV.PO / PR.DS |
| Fraud & Transaction Monitoring | Req 10, 11 | A.8.16 | DE.CM |
| Incident Response | Req 12.10 | A.5.24-5.28 | RS (Respond) |
| Business Continuity & DR | (supports Req 12) | A.5.29-5.30 / A.8.13-8.14 | RC (Recover) |
| Logging & Monitoring | Req 10 | A.8.15-8.16 | DE.CM / DE.AE |
| Vulnerability Management & VAPT | Req 6, 11 | A.8.8 | ID.RA / PR.PS |
How CyberSigma helps
CyberSigma is a CERT-In empanelled security auditor and PCI QSA firm that runs end-to-end RBI System Audit (SAR) and data-localisation engagements — from scoping and gap assessment through VAPT, escrow-control testing and India-only data verification, to the signed SAR submitted to RBI. We help payment aggregators, PPI issuers, banks and NBFCs close findings, uplift domain maturity to Level 3/4, and stay continuously audit-ready. Talk to our RBI compliance team to plan your next SAR cycle with confidence.